Senior Information Security Consultant
SABIC
Total years of experience :24 years, 10 Months
• Implemented ISO 27001:2013 in SABIC Europe region
• Currently leading ISO 27001:2013 implementation in SABIC MEA, APAC and Europe regions; scope includes 26 functions from MEA, 11 functions from Europe and 9 functions from APAC
• Reviewed and updated the Information Security Policies and Procedures
• Prepared the Asset Inventories
• Prepared the Statement of Applicability to reflect the applicable ISO 27001 controls
• Conducting ISO 27001 Annex A controls oriented Gaps Assessment
• Doing the Risk Assessments, and have prepared various Risk Scenarios
• Preparing the Risk Mitigation and Treatment Strategies to tackle the identified risks and fulfil the control requirements
• Delivering Information Security Awareness Sessions across Europe, MEA and APAC regions
• Revised and updated the KPIs and measures of effectiveness for all the information security projects
• Did the GDPR gaps assessment to align with ISO 27001 requirements
• Facilitated the ISO 27001 surveillance audit for SABIC MEA region
• Performed cloud security assessments
• Established an integrated cyber security audits approach to identify and address risks (integrated the NIST 800-53, ISO 27001, PCI DSS and data privacy aspects)
• Improved the audit reporting templates and automated the follow-ups and closure of the audit gaps
• Did the Test of “Design” and Test of “Operating Effectiveness” of the Wipro Data Center and Critical IT applications and prepared the action plans to ensure proper security controls deployment
• Identified security gaps in the contractual clauses with a large BFSI spread across Europe and UK - when I did the Contractual Obligations—this led to amendment of contracts, assigned clear ownership, and strict deadlines to close the risks which I had reported
• Performed the Privacy Impact Assessments of the core applications
• Analyzed and overhauled the internal audits approach by suitably integrating technical and cybersecurity aspects leading to in-depth and comprehensive audits rather than only financial focus
• Implemented ISO 27001:2013 full implementation, documentation of all ISMS mandatory requirements, policies, procedures, corrective actions and preventive actions
• Mapped the IT and PCD (Industrial Security) controls
• Created the roadmap for integration and compliance
• Created the governance structure covering both IT and OT
• Created the Asset Registers
• Prepared the Statement of Applicability to reflect the applicable ISO 27001 controls
• Conducted ISO 27001 Annex A controls oriented Gaps Assessment
• Did the Risk Assessment
• Prepared the Risk Mitigation and Treatment Strategies to tackle the identified risks and fulfil the control requirements
• Selected SANs in Europe as their Information Security vendor and got their COTs deployed at Oman
• Performed gap analysis, BIA and continuity requirement analysis on the lines of ISO 22301 for Business Continuity
• Created the business continuity strategy for Philips
• Prepared the roadmap for cloud migration
• Facilitated ISO 27001:2013 surveillance by reviewing all ISMS mandatory requirements, policies, procedures, NC tracker status
• Strategized and clubbed the deliverables into sprints and assigned clear ownerships between Philips, Amazon Web Services (AWS), Salesforce, Wipro (onsite and offshore) teams - resulting in CSI jump up from 5 to 7 within 1 quarter itself
• Enhanced the existing format of the Asset Registers
• Performed the BIA (Business Impact Analysis)
• Did the Risk Assessment
• Prepared the Risk Mitigation and Treatment Strategies to tackle the identified risks and fulfil the control requirements
• Created the processes, SLAs and OLAs for disaster recovery
• Established the coordination schemas and workflows resulting in smoother and well-organized handling of the reported downtimes globally
• Built the repository of closure actions and lessons learnt from the resolved emergencies thus further reducing the resolution times globally
• Did the vendors assessments and selected BC vendor for the RBS client
• Got the “Right to Audit” clause included in the contracts with BC services vendors
• Started the practice of publishing the ‘Information Security mails’
• Established mechanisms for bomb threat handling
• Supported the ISO 27001 surveillance audits by defending the evidences furnished for closure of the NCs
• Performed the Business Impact Analysis (BIAs)
• Created the Disaster Recovery Plans for critical functions as well as for admin and finance departments
• Created the vulnerability assessment and penetration testing plans in coordination with the IT department
• Participated in creating the regional Business Continuity Plans
• Mentored the team’s leading to themselves keeping the call trees up-to-date
• Created the unified controls framework by mapping ISO 27001, ISO 22301, NIST SP 800-53 and Critical Security Controls (CSC) to consistently deploy information security
• Reviewed and maintained the various mandatory ISMS documentation, information security policies and procedures
• Deployed anti pass back, and positive identification for issuing the ID cards
• Created the governance structure to
o Regularly keep the Asset Inventories and Risk Assessment Reports regularly updated
o Regularly track and timely close the NCs in a proper manner
• Enforced mandatory retention of access logs by the BMS team for at least 6 months
• Started cross delivery verification of the official couriers
• Prepared the Business Continuity Plans for Finance, Admin and Travel departments
• Established the Fire Committee comprising of the Fire Wardens and Floor Evacuation Marshals
• Created the vulnerability assessment and penetration testing plans in coordination with the IT department
• Conducted Internal Information Security Audits for clients across India specially in the Telecom, BFSI and Manufacturing verticals
• Prepared and delivered several Information Security, ITIL and COBIT trainings
• Actively participated in the internal information security Audits of the BFSI, Insurance, Oil and Gas, Telecom and Manufacturing verticals
• Created audit reports for higher management
• Prepared the ITIL oriented processes for problem management and change management
• Actively followed-up with projects and support functions to ensure they understand and prepare the closure actions on the security gaps identified in the internal audits
• Tracked and maintained the closure actions in the centralized repository
A hands-on professional with 18 years Information Security experience in cybersecurity lifecycle
management, risk assessment, security controls gaps assessment, ISMS deployment, Data Privacy
assessments, cloud and mobility security enforcements, business continuity deployment, DLP security
assessment, industrial security controls assessment, Information security audits and people
management
Career Highlights
1. Strategized and successfully managed IT Compliance Assessments and deployments
2. Rs 10.75 mn cost recovered - Reviewed the existing processes identifying the payment overpaid
to the transport vendors by Wipro BPO
3. € 10M penalties saved - Identified and plugged the design gaps via which the PII, sensitive and
confidential information can be pilfered; Thus, protected Wipro from being penalized
4. 25% TAT reduction - Simplified the deployed computing processes and ensured that the
operational processes are defined completely and subjected to regular peer reviews
5. Got consistently high Customer Satisfaction Scores, consistently enlisted in Wipro Winner’s Circle
for 4 consecutive years
Certified Information Systems Auditor CISA Certified Information Systems Security Professional CISSP Certified Business Continuity Planner CBCP ISO 22301 Certified Lead Auditor ISO 27001 Certified Lead Auditor